URL Filtering Use Cases
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
End-of-Life (EoL)
URL Filtering Use Cases
Learn about the various ways you can leverage URL filtering
to ensure your users safely access the web.
There are many ways to enforce web page access beyond
only blocking and allowing certain sites. For example, you can use
multiple categories per URL to allow users to access a site, but
block particular functions like submitting corporate credentials
or downloading files. You can also use URL categories to enforce
different types of policy, such
as Authentication, Decryption, QoS, and Security.
Read on for more about the different ways that you can deploy
URL filtering.
Control web access based on URL category
You
can create a URL Filtering profile that
specifies an action for a URL category and attach the profile to
a policy rule. The firewall enforces policy against traffic based
on the settings in the profile. For example, to block all gaming
websites you could set the block action for the URL category games in the
URL Filtering profile and attach it to the Security policy rule(s)
that allow web access.
Multi-Category URL Filtering
Every URL
can have up to four categories, including a risk category that indicates
the likelihood a site will expose you to threats. More granular
URL categorizations means that you can move beyond a basic “block-or-allow”
approach to web access. Instead, you can control how your users
interact
with
online content that, while necessary for business, is more likely
to be used as part of a cyberattack. For instance, you might
consider certain URL categories risky to your organization, but
are hesitant to block them outright as they also provide valuable
resources or services (like cloud storage services or blogs). Now,
you can allow users to visit sites that fall into these types of
URL categories while you protect your network by decrypting and
inspecting traffic and enforcing read-only access to the content.
For
a URL category that you want to tightly control, set the URL Filtering
profile action to alert as part of the steps to configure
URL Filtering. Then continue to follow the URL Filtering best
practices: decrypt the URL category, block dangerous file
downloads, and turn on credential phishing prevention.
You
can also define a custom URL category by selecting
Category
Match
and specifying two or more PAN-DB categories of
which the new category will consist. Creating a custom category
from multiple categories allows you to target enforcement for a
website or page that matches all of the categories specified in
the custom URL category object.Block or allow corporate credential submissions
based on URL category
Prevent
credential phishing by enabling the firewall to detect corporate
credential submissions to sites, and then control those submissions
based on URL category. Block users from submitting credentials to
malicious and untrusted sites, warn users against entering corporate
credentials on unknown sites or reusing corporate credentials on
non-corporate sites, and explicitly allow users to submit credentials
to corporate and sanctioned sites.
Enforce Safe Search Settings
Many search
engines have a safe search setting that filters out adult images
and videos from search results. You can enable the firewall to block
search results if the end user is not using the strictest safe search
settings, and you can transparently enable safe search for your
users. The firewall supports safe search enforcement for the following
search providers: Google, Yahoo, Bing, Yandex, and YouTube. See
how to get started with Safe Search Enforcement.
Enforce Password Access to Certain Sites
You
can block access to a site for most users while allowing certain
users to access the site. See how to allow password access
to certain sites.
Block high-risk file downloads from certain URL
categories
You can block high-risk file downloads from
specific URL categories by creating a Security policy with a File Blocking profile attached.
Enforce Security, Decryption, Authentication, and
QoS policies based on URL category
You can enforce different
types of firewall policies based on URL categories. For example,
suppose you have enabled Decryption,
but you want to exclude certain personal information from being
decrypted. In this case you could create a decryption policy rule
that excludes websites that match the URL categories financial-services and health-and-medicine from
decryption. Another example would be to use the URL category streaming-media in
a QoS policy to apply bandwidth controls to websites that fall in
to this category.
The following table describes the policies
that accept URL categories as match criteria:
Policy Type | Description |
---|---|
You can also use URL categories to phase-in
decryption, and to exclude URL categories that might contain sensitive
or personal information from decryption (like financial-services
and health-and-medicine). Plan to decrypt the riskiest traffic
first (URL categories most likely to harbor malicious traffic, such
as gaming or high-risk) and then decrypt more as you gain experience.
Alternatively, decrypt the URL categories that don’t affect your
business first (if something goes wrong, it won’t affect business),
for example, news feeds. In both cases, decrypt a few URL categories,
listen to user feedback, run reports to ensure that decryption is
working as expected, and then gradually decrypt a few more URL categories,
and so on. Plan to make decryption exclusions to
exclude sites from decryption if you can’t decrypt them for technical
reasons or because you choose not to decrypt them. Decrypting traffic based on URL categories
is a best practice for both URL Filtering and Decryption. | |
To ensure that users authenticate before
being allowed access to a specific category, you can attach a URL
category as a match criterion for Authentication policy rules. | |
Use URL categories to allocate throughput
levels for specific website categories. For example, you may want
to allow the streaming-media category, but limit throughput
by adding the URL category to a QoS policy rule. | |
In Security policy rules, you can use URL
categories in two ways:
If for example, the IT-security group
in your company needs access to the hacking category,
but all other users are denied access to the category, you must
create the following rules:
|